When data is being used by an application in a computer system, it is generally stored in computer memory allocated to that application. Generally, this computer memory is not available to other applications in the system, nor is it directly readable by a user of the computer system. However, the contents of memory may be made available during a memory dump, when execution is paused for an application and the contents of memory are made available for analysis. This memory dump may occur due to some problem in execution, or in other ways. For example, when a notebook computer's lid is closed, a complete memory dump may occur. By analyzing the contents of a memory dump, the contents of memory being used by an application may be discovered.
Many applications, for example, digital rights management applications, utilize data in their execution which is not intended to be made directly available to any user, even to a legitimate user. For example, cryptography keys to decrypt content for which digital rights are being managed may be used by an application, but are not intended to be directly available to a user. Currently, applications decrypt the key, store it in the application's memory, and then use the key. While in the application's memory, the key is vulnerable.
If made directly available, a user could use cryptography keys to subvert the digital rights management system in the future. Additionally, for digital rights management applications or similar sensitive applications, other information such as other users' passwords or other sensitive data are similarly stored “in the clear” (without encryption or obfuscation and in a directly useful state) so that it can be used by the application. However, such sensitive information should not be available in the clear to any user or adversary.
A memory dump attack occurs when an adversary uses the memory dump or other techniques which allow access of application memory in order to gain access to sensitive information in the clear. In such an attack, when an application has decrypted or otherwise rendered the sensitive information so it is stored in application memory in a clear state, a memory dump is triggered. The contents of memory are examined, and the sensitive information, in the clear, is retrieved from those contents. Other attacks are possible in which the contents of memory are examined and sensitive information in the clear is retrieved. When the sensitive information is available in the clear, the digital rights management system or other application using the sensitive data is compromised.